Puppet configures systems in two main stages:

  1. Compile a catalog
  2. Apply the catalog

The Agent/Master Architecture

Puppet usually runs in an agent/master architecture, where a puppet master server controls important configuration info and managed agent nodes request only their own configuration catalogs.

Basics

In this architecture, managed nodes run the puppet agent application, usually as a background service. One or more servers run the puppet master application, usually as a Rack application managed by a web server (like Apache with Passenger).

Periodically, puppet agent will send facts to the puppet master and request a catalog. The master will compile and return that node’s catalog, using several sources of information it has access to.

Once it receives a catalog, puppet agent will apply it by checking each resource the catalog describes. If it finds any resources that are not in their desired state, it will make any changes necessary to correct them. (Or, in no-op mode, it will report on what changes would have been needed.)

After applying the catalog, the agent will submit a report to the puppet master.

The Stand-Alone Architecture

Puppet can run in a stand-alone architecture, where each managed server has its own complete copy of your configuration info and compiles its own catalog.

Basics

In this architecture, managed nodes run the puppet apply application, usually as a scheduled task or cron job. (You can also run it on demand for initial configuration of a server or for smaller configuration tasks.)

Like the puppet master application, puppet apply needs access to several sources of configuration data, which it uses to compile a catalog for the node it is managing.

After puppet apply compiles the catalog, it immediately applies it by checking each resource the catalog describes. If it finds any resources that are not in their desired state, it will make any changes necessary to correct them. (Or, in no-op mode, it will report on what changes would have been needed.)

After applying the catalog, puppet apply will store a report on disk. It can also be configured to send reports to a central service.

Differences Between Agent/Master and Puppet Apply

In general, puppet apply can do the same things as the combination of puppet agent and puppet master, but there are several trade-offs around security and the ease of certain tasks.

If you don’t have a preference, you should default to an agent/master architecture. If you have questions, considering these trade-offs will help you make your decision.

  • Principle of least privilege. In agent/master Puppet, each agent only gets its own configuration, and is unable to see how other nodes are configured. With puppet apply, it’s impractical to do this, so every node has access to complete knowledge about how your site is configured. Depending on how you’re configuring your systems, this can potentially raise the risks of horizontal privilege escalation.
  • Ease of centralized reporting and inventory. Agents send reports to the puppet master by default, and the master can be configured with any number of report handlers to pass these on to other services. You can also connect the master to PuppetDB, a powerful tool for querying inventory and activity data. Puppet apply nodes handle their own information, so if you’re using PuppetDB or sending reports to another service, each node needs to be configured and authorized to connect to it.
  • Ease of updating configurations. Only the puppet master server(s) have the Puppet modules, main manifests, and other data necessary for compiling catalogs. This means that when you need to update your systems’ configurations, you only need to update content on one (or a few) servers. In a decentralized puppet apply deployment, you’ll need to sync new configuration code and data to every node.
  • CPU and memory usage on managed machines. Since puppet agent doesn’t compile its own catalogs, it uses fewer resources on the machines it manages, leaving them with more capacity for their designated tasks.
  • Need for a dedicated master server. The puppet master takes on the performance load of compiling all catalogs, and it should usually be a dedicated machine with a fast processor, lots of RAM, and a fast disk. Not everybody wants to (or is able to) allocate that, and puppet apply can get around the need for it.
  • Need for good network connectivity. Agents need to be able to reach the puppet master at a reliable hostname in order to configure themselves. If a system lives in a degraded or isolated network environment, you may want it to be more self-sufficient.
  • Security overhead. Agents and masters use HTTPS to secure their communications and authenticate each other, and every system involved needs an SSL certificate. Puppet includes a built-in CA to easily manage certificates, but it’s even easier to not manage them at all. (Of course, you’ll still need to manage security somehow, since you’re probably using Rsync or something to update Puppet content on every node.)

Puppet's Architecture 3.7的更多相关文章

  1. puppet的配置清单书写

    puppet的配置清单书写 1使用数组,合并同类的 例如你想安装很多软件,如果分开来写的话,很麻烦,不简洁,这时我们可以使用数组来完成 以前我们这样来写 class packages{ package ...

  2. Kafka Connect Architecture

    Kafka Connect's goal of copying data between systems has been tackled by a variety of frameworks, ma ...

  3. Undefined symbols for architecture arm64解决方案

    在iOS开发中经常遇到的一个错误是Undefined symbols for architecture arm64,这个错误表示工程某些地方不支持arm64指令集.那我们应该怎么解决这个问题了?我们不 ...

  4. Optimal Flexible Architecture(最优灵活架构)

    来自:Oracle® Database Installation Guide 12_c_ Release 1 (12.1) for Linux Oracle base目录命名规范: /pm/s/u 例 ...

  5. Puppet自动化部署-安装及配置(3)

    本文介绍Puppet Master及Agent相关的安装及配置. 一. 官网下载Puppet安装YUM源 [root@puppet-master ~]# rpm -ivh https://yum.pu ...

  6. Puppet自动化运维-资源介绍篇(4)

    1.什么是资源? 资源是Puppet最基础的元素,每个资源的定义都具有标题,类型,以及一系列的属性. 资源定义有如下的特性:   (1) Puppet使用title在编译时区分每个资源,使用命名变量在 ...

  7. Puppet自动化部署-前期环境准备(2)

    在安装Puppet环境之前需要配置好机器的基本配置,如规范网络地址IP.hostname,certname认证名称,ntp时间同步等配置完毕,完善的搭建自动化环境. 1.环境介绍 此处实现部署的环境是 ...

  8. Puppet自动化运维-C/S架构概念(1)

    1.Puppet工作模式 (1)采用C/S架构(即是server<=>client) (2)Master 会对自己形成自签名CA中心,对Agent端进行证书颁发,验证通过才允许Agent( ...

  9. Puppet简易入门

    一.查看官方提供的下载源 https://docs.puppet.com/guides/puppetlabs_package_repositories.html 二. 选择对应系统的下载源 因为本机是 ...

随机推荐

  1. Eclipse Pydev 技巧汇编

    之前一直使用eclipse中默认的console.但是这个console并不是interactive的,如果数据比较小的时候还行,数据量一旦很大,则每次调试都需要重新再跑一遍程序,从而浪费很多时间. ...

  2. C++ 中的C_str()函数用法

    语法: const char *c_str(); c_str()函数返回一个指向正规C字符串的指针常量, 内容与本string串相同. 这是为了与c语言兼容,在c语言中没有string类型,故必须通过 ...

  3. spring ioc 原理 spring aop原理

    大家一直都说spring的IOC如何如何的强大,其实我倒觉得不是IOC如何的强大,说白了IOC其实也非常的简单.我们先从IOC说起,这个概念其实是从我们平常new一个对象的对立面来说的,我们平常使用对 ...

  4. 使用npoi.dll导出数据到excel

    .net数据导出excel数据有多种方法,最常用的就是使用office组件,但随之而来的问题也很棘手,又要调权限又要确定是否安装office很是麻烦,最近一个项目中也有数据导出功能,随使用excel模 ...

  5. 所学新知——int、char型转string 类型等

    1. 利用stringstream类 定义头文件#include<sstream> 通过 int a; char b; sstream ss,ss1; ss<<a; ss1&l ...

  6. linux ssh免密码登录设置

    ssh-keygen -t rsa 全部回车 生成密钥默认放在了/root/.shh中 打开它 cd /root/.ssh cp id_rsa.pub authorized_keys 免密码登录 现在 ...

  7. Codeforces Round #339 Div.2 A - Link/Cut Tree

    第一次正式参加常规赛想想有些小激动的呢 然后第一题就被hack了 心痛 _(:зゝ∠)_ tle点在于越界 因此结束循环条件从乘变为除 done //等等 这题没过总评 让我静静........ // ...

  8. springMvc源码学习之:spirngMvc的拦截器使用

    SpringMVC 中的Interceptor 拦截器也是相当重要和相当有用的,它的主要作用是拦截用户的请求并进行相应的处理.比如通过它来进行权限验证,或者是来判断用户是否登陆,或者是像12306 那 ...

  9. 打开eclipse报错:发现了以元素 'd:skin' 开头的无效内容。此处不应含有子元素。

    [错误] 打开eclipse报错:发现了以元素 ‘d:skin’ 开头的无效内容.此处不应含有子元素. [具体报错信息] Error parsing D:\Android-sdks\system-im ...

  10. 论文笔记之:Playing Atari with Deep Reinforcement Learning

    Playing Atari with Deep Reinforcement Learning <Computer Science>, 2013 Abstract: 本文提出了一种深度学习方 ...